B3RG - Objective 1.3 – Secure VMware ESX/ESXi

Recent Blog Postings

Lately I had a discussing regarding the do’s and do not’s on Microsoft OS licensing on virtual infrastructures. To be sure what is possible, best practice and economical I read a whole bunch of Microsoft licensing briefs and came up with the following post. You will find that there is no best .....

Add Banners

Objective 1.3 – Secure VMware ESX/ESXi

Written by Matthijs van den Berg

Tuesday, 06 October 2009 15:07

Knowledge

Identify default security principles
- When installing ESX use security=high (default)
- Do not allow root level access over SSH and use secure commands
- Disable all unnecessary services in COS
- Use VCenter to help you manage granular security access
- Stay current with patches
- Control User Level access using VCenter
Understand Service Console firewall operation
By default all incoming connections to the service console port of an ESX server are blocked. A firewall on the ESX Server checks all incoming traffic and allows only traffic explicitly allowed in the firewall configuration. The firewall can be configured in two way’s, from the command line and from the vCenter GUI.
- Service Console Security Level
  The VMware firewall protecting the Service Console has three default security levels. The default in a standard install is high resulting in a fully firewalled (incoming and outgoing) environment.
  - High
    - Incoming ports blocked by default.
    - Outgoing ports blocked by default.
  - Medium
    - Incoming ports blocked by default.
    - Outgoing ports not blocked by default.
  - Low
    - Incoming ports not blocked by default. Low
    - Outgoing ports not blocked by default.
- Opening/Closing ports in the firewall using the vSphere Client
  The vSphere client can be used to open and close ports on a ESX host. To do so:
  - Select you ESX host
  - Go to the configuration tab
  - Click “Properties” in the upper right corner of the screen. In the screen that opens you can select the ports to open. To open additional, non listed, ports you need to use the command line.
Set up user/group accounts
Because the chapter is about ESX / ESXi I presume setting up users and groups on the local ESX host is meant. Another way to authenticate user locally on a ESX host is to enable the AD authentication for local users.

Read more here to add local users and groups
Determine applications needed for accessing the service console in a given scenario
To access the service console the are roughly two option, from the local terminal (monitor, Keyboard) or remote using a SSH (Secure Shell) Client. Linux and Mac OSX have a SSH client by default, for Windows Putty is a favored client for accessing SSH Servers.

Before you can access a VMware ESX server with a remote client you need to explicitly allow access. Also an account to login needs to be created. Remote root access is disabled by default, but can be enabled. This however is not a best practice!!! The most secure way is to log in as a regular user and use sudo to execute privileged commands.

Tools

< Prev		Next >

VCP 4 Cloud

Recent Blog Postings

Add Banners

Knowledge

Tools

VCP4 Studie Guide - Fast Find